Merchant Posts Fraud FAQ

Save Mart, the California-based supermarket chain, has issued a list of frequently asked questions for customers, noting that fewer than 1,000 cardholders may have been affected by the payments card breach discovered in late November. [See Fraud Scheme Hits Grocer.]

The grocer says it's working with local law enforcement, the Secret Service and vendors to investigate the breach. An FAQ list also is posted on Lucky Supermarkets corporate page.

In its updated statement, Save Mart says: "Based on reports from our call center, it currently appears that there were fewer than 1,000 incidents of reported loss or attempted loss."

Save Mart also says this is not the first time one of its stores has been breached.

"In 2007, prior to our purchase of the [Lucky Supermarkets] store, an Albertsons store in San Leandro had a breach of their credit/debit card readers," the statement says. "Shortly after the purchase, law enforcement and card processors notified our company that there had been a confirmed breach of the systems in that store. We responded swiftly by notifying customers and re-inspecting all card readers in the chain. Following that assessment, we purchased and replaced in Spring of 2007 all credit/debit card readers in all check-lanes at the Albertsons stores we had purchased in early 2007."

In related news, the San Francisco Chronicle reports this week that several thousand dollars were stolen from a Comerica Bank account held by South Bay Blue Star Moms, a non-profit group that provides care packages to homeless veterans and active members of military serving overseas. The compromise is suspected of being linked to purchases made at one or more Lucky supermarkets in the San Francisco Bay area, where point-of-sale card readers and PIN pads allegedly were manipulated. South Bay Blue Star Moms discovered the fraud when unauthorized ATM withdrawals, each for several hundred dollars, showed up on the account. The withdrawals, conducted on Dec. 5 and Dec. 6, were made at ATMs in San Jose, Arcadia and Los Angeles, Calif.

Save Mart has been relatively reserved about the facts surrounding the card breaches. In the latest statement, the company says: "According to law enforcement officials, the scam relied on wireless technology that enabled perpetrators to remotely retrieve credit/debit card data. This is apparently more advanced than previous known attempts that required criminals to physically retrieve devices out of retailers' stores to obtain stolen information."

While stopping short of saying it will provide credit monitoring for customers impacted by the breach, Save Mart does say it will work with customers and banks to provide "appropriate protection measures" for fraud victims.

"This is why the PTS standard was created," King says. "We saw that the criminals were finding it easy to break into the terminals and capture the mag-stripe information. And the changes we have seen since the introduction of the standard in 2005 have been significant. ... The terminal manufacturers have done a lot to improve the security."

The problem is that merchants are not upgrading or replacing legacy terminals as quickly as manufacturers are releasing improvements. "They can't just buy these terminals and forget them," King says. "They do have to keep an eye on them. ... Legacy terminals are the real problem. Old equipment needs to be upgraded, to ensure compliance with PTS and point-to-point encryption.

PCI PTS: Were the Terminals Compliant?

The organization of the scheme rings similar to attacks that in May hit Michaels crafts stores in more than 20 states. Card-readers and PIN-pads located on cashier POS systems in 90 Michaels stores were swapped with readers and pads manipulated to copy and transmit card details. Unlike Save Mart, which identified the tampering during a routine maintenance check, the fraud at Michaels came to light when consumers reported fraudulent ATM and retail transactions to their financial institutions. Card issuers later tracked the fraud to Michaels.

King says POS fraud is definitely getting more sophisticated. International crime rings are targeting certain countries, like the U.S., where a particular POS device make or model is popular. "Regardless of what kind of terminal it is, I would suggest that the merchants check to make sure that it's PTS-PCI approved," King says.

Criminals also are targeting POS networks - a method that proved fruitful for the four Romanians indicted recently by the U.S. Department of Justice. The four have been accused of orchestrating a multimillion-dollar scheme that targeted networks run by Subway and 150 other unknown U.S. retailers. [See POS Fraud: How Hackers Strike.]

Investigators believe more than 80,000 U.S. consumers were compromised by the Romanians' war-driving - a hacking method that involves remotely scanning for open or vulnerable Internet connections to POS systems. Once a weak system was detected, they allegedly hacked internal computers and installed keylogging software onto the POS systems.

Pointing to the Romanians' hack, King says network vulnerabilities, coupled with skimming risks, make full compliance with the most up-to-date PTS version necessities. Point-to-point encryption is key.

"Network security: This is the core of what the PCI is all about," King says. "The standard is all about protecting the transaction across the chain."

About the Author

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years' experience, she covered the financial sector for 10+ years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.